Stop Buffer Overflows in Their Tracks

with Intel® Memory Protection

Extensions (Intel® MPX); Intel®
Technology Enhancements to Prevent
Common Exploits at the Hardware Level
Baiju Patel, Ph.D.
Senior Principal Engineer/Manager, Intel Corporation

SECS003

1
 Agenda

• Overview
• Intel® Memory Protection Extensions (Intel® MPX)
Examples
• Storing Bounds in Memory
• Enabling Approach
• Summary
• Resources

2
 Overview
• New instructions to enable runtime buffer overflow
checks
• Most C/C++ applications should able to use Intel®
Memory Protection Extensions (Intel® MPX) by:
– Recompilation of existing code without source changes
– Interoperate with legacy libraries
– Run Intel MPX enabled binary on legacy systems (no
benefits)
– Enable or disable Intel MPX for each application dynamically
• Working with OS/Tool vendors to facilitate broad use
– Intel MPX instructions are not limited to a specific use

Intel MPX will help improve software security and robustness

3
 Overview
• Four new registers to store bounds 128-bit boundary
– Existing register usage not impacted
registers BND0..BND3
• New instructions to check bounds 0xFFFF FFFFF
prior to memory access

…
– Exception on bound violations
• New instructions to load/store
bounds in separate memory region 0x00F3 2250
– CPU manages pointer to bounds Buffer
association in memory
0x00F3 2210
– No changes to data structure layout
• Run-time “opt-in” capability

…
• Intel MPX extensions are NOP
when opted-out or on legacy 0x0000 0000
systems
Upper Bound Lower Bound

e.g. BND0 = 00F3 2250 00F3 2210

Intel® Memory Protection Extensions (Intel® MPX)
4
 Agenda

• Overview
• Intel® Memory Protection Extensions (Intel® MPX)
Examples
• Storing Bounds in Memory
• Enabling Approach
• Summary & Resources

5
 Example: strcpy (check write bounds)
// s2 is RDX, and s1 in RCX, bounds for s1 in BND0 by calling
convention
strcpy(char *s1, char *s2) {
while (*s1++ = *s2++) {} New Register
}

BNDCL BND0, [RCX] ; check s1 (RCX) LB against bounds in BND0

L1: MOVB RAX, [RDX] ; load a char
INC RDX
MPX instructions
BNDCU BND0, [RCX] ; check UB for s1 before write
MOVB [RCX], AL
INC RCX
TESTB AL, AL
BND JNE L1 ; BND (0xF2) prefix is NOP in MPX enabled code
BND RET

BNDCL and BNDCU check lower and upper bounds,

if check fails, signal exception #BR

6
 Example: MPX Off or Legacy CPU
// s2 is RDX, and s1 in RCX, bounds for s1 in BND0 by calling convention
strcpy(char *s1, char *s2) {
while (*s1++ = *s2++) {}
}

BNDCL BND0, [RCX] NOP

L1: MOVB RAX, [RDX]
INC RDX
BNDCU BND0, [RCX] NOP
MOVB [RCX], AL
INC RCX
TESTB AL, AL
BND JNE L1 Same as JNE
Same as RET
BND RET

One binary for non-MPX and MPX system

Dynamically turn MPX On/Off on MPX system

7
 Managing Bounds
• Bounds are associated with pointers and not buffers
• Bounds are created at time of allocation
– By compiler (e.g., for buffers on stack)
– Runtime (e.g., malloc): e.g., p = malloc(size)
malloc: … existing malloc code
BNDMK BND0, [p+size-1]
BND RET
OR

void * malloc(int size) {

existing malloc code
p = __chkp_make_bounds(*p, size)}

• Type casting does not change bounds

• Bounds may be narrowed with accessing members for tighter
checking

8
 Example: Call to strcpy
MOV RCX, $str1
char str1[100], str2[120];
strcpy(str1, str2);
BNDMK BND0, [RCX+99]
MOV RDX, $str2
…
BND CALL $strcpy
strcpy(char *s1, char *s2) {
BNDCL BND0, [RCX]
while (*s1++ = *s2++) {}
L1: MOVB RAX, [RDX]
}
INC RDX
#BR if s2 was >100 BNDCU BND0, [RCX]
char long MOVB [RCX], AL
…
BND RET

Extend calling convention to include bound registers

Calling conventions for existing registers unchanged for compatibility

9
 Example: Legacy Call to MPX Enabled strcpy

MOV RCX, $str1

// Legacy compiler BNDMK BND0, [RCX+99]
int str1[100], MOV RDX, $str2
str2[120];
…
strcpy(str1, str2); BND+ CALL $strcpy //INIT all bound
registers

BNDCL BND0, [RCX]

// MPX compiler L1: MOVB RAX, [RDX]
strcpy(char *s1, char *s2) Check will
INC RDX succeed
{
while (*s1++ = *s2++) BNDCU BND0, [RCX]
{} …
} BND RET

Near CALL, RET, JMP/Jcc without BND prefix will INIT all bound reg

10
 Example: MPX Enabled Call to Legacy strcpy
MOV RCX, $str1
char str1[100], str2[120];
strcpy(str1, str2);
BNDMK BND0, [RCX+99]
MOV RDX, $str2
…
BND CALL $strcpy
strcpy(char *s1, char *s2) {
BNDCL BND0, [RCX]
while (*s1++ = *s2++) {}
L1: MOVB RAX, [RDX]
}
INC RDX
#BR if s2 was >100 BNDCU BND0, [RCX]
char long MOVB [RCX], AL
…
BND RET

11
 Agenda

• Overview
• Intel® Memory Protection Extensions (Intel® MPX)
Examples
• Storing Bounds in Memory
• Enabling Approach
• Summary & Resources

12
 Storing Bounds in Memory
Fat Pointers Today Outlying bounds

existing data structure

Pointer 1 Pointer 1 Pointer 1

Compatibility with
Bounds 1 Pointer 2 Pointer 2
Pointer 2 Data Data

layout
Bounds 2
Data
Bounds 1
Bounds 2

Application allocates
memory for storing
bounds

13
 Storing and Loading Bounds

// RAX contains ptr to buf 1

Ptr to buf 1
Ptr to buf 25
MOV [RDX], RAX
Data BNDSTX [RDX], RAX, BND0

Address
Ptr to buf 1 translation
Bnds of ptr to buf 1
Ptr to buf 25
Bnds of ptr to buf 25
MOV RAX, [RDX]
BNDLDX RAX, BND0, [RDX]

RDX points to memory location where pointer is stored

RCX contains pointer value
BND0 contains bounds for pointer

14
 Interoperability With Legacy
MPX code Legacy code MPX code
MOV [RDX], RAX … MOV RAX, [RDX]
MOV [RDX], buf2 BNDLDX RAX, BND0, [RDX]
BNDSTX [RDX], RAX, BND0 …
BND0 INIT on
no match
Ptr to buf 1 Ptr to buf 2 Ptr to buf 2
Ptr to buf 25 Ptr to buf 25 Ptr to buf 25
Data Data Data
Bound memory

Ptr to buf 1 Ptr to buf 1 Ptr to buf 1

Bnds of ptr to buf 1 Bnds of ptr to buf 1 Bnds of ptr to buf 1
Ptr to buf 25 Ptr to buf 25 Ptr to buf 25
Bnds of ptr to buf 25 Bnds of ptr to buf 25 Bnds of ptr to buf 25

BND INIT when two copies of pointers are not same helps with
legacy interoperability
RDX points to memory location where pointer is stored
RCX contains pointer value, BND0 contains bounds for pointer
15
 Interoperability: MPX Code
MPX code – module 1 MPX Code – module 2 MPX code
MOV [RX], RAX … MOV RAX, [RDX]
MOV [RDX], buf2 BNDLDX RAX, BND0, [RDX]
BNDSTX [RDX], RAX, BND0
BNDSTX [RDX], RAX, BND0

BND0 is loaded
Because of match
…
Ptr to buf 1 Ptr to buf 2 Ptr to buf 2
Ptr to buf 25 Ptr to buf 25 Ptr to buf 25
Data Data Data

Ptr to buf 1 Ptr to buf 2 Ptr to buf 2

Bnds of ptr to buf 1 Bnds of ptr to buf 2 Bnds of ptr to buf 2
Ptr to buf 25 Ptr to buf 25 Ptr to buf 25
Bnds of ptr to buf 25 Bnds of ptr to buf 25 Bnds of ptr to buf 25

RDX points to memory location where pointer is stored

RCX contains pointer value
BND0 contains bounds for pointer
16
 Address Translation for Bound Access
Address where pointer is stored in memory
BDn Bn

Address of BT0 Bound 0 Lower Bound

Address of BT1 + Bound 1 Upper Bound
Pointer value
Reserved

Bound n
BD: Bound Directory BT: Bound Table
Application Memory

• Bound directory and tables are dynamically allocated

• Freed as part of heap management or using background compaction
thread
• Upper bound is represented in 1’s complement to simplify initialization
of BT pages (zero initialized memory represents unbounded access)

17
 Proposed MPX ABI Summary
• Caller save bound registers
– Use BNDMOV instruction to save/restore bound registers
• Calling convention extensions
– Bi contains bounds for ith pointer passed in register
– The bounds for pointer passed in memory are passed using
BNDLDX/STX
• Data layout
– No changes
– Use BNDLDX/STX to load/store bounds for pointers
• Proposed Linux* ABI

18
 Agenda

• Overview
• Intel® Memory Protection Extensions (Intel® MPX)
Examples
• Storing Bounds in Memory
• Enabling Approach
• Summary & Resources

19
 Enabling Approach
• Start using Intel® Memory Protection Extensions (Intel® MPX)
during development process to find buffer overflow bugs
• If performance of Intel MPX enabled application is acceptable,
release Intel MPX enabled product
• If performance impact is unacceptable
– Consider partial enabling, enable non-performance critical code with
Intel MPX
– Consider performance tuning of performance critical application
code (link to Intel performance optimization tools)
• If performance impact is still unacceptable
– Consider release of product with Intel MPX off by default
– Intel MPX can be turned on in field till fix is release in case of
attacks

20
 Agenda

• Overview
• Intel® Memory Protection Extensions (Intel® MPX)
Examples
• Storing Bounds in Memory
• Enabling Approach
• Summary & Resources

21
 Summary
• New instructions to enable runtime buffer overflow checks
– Prevent most buffer overflows at runtime
– Pin-point location of attempted overflow
– Fewer attacks (virus, worm, root kits, bots)
• Most C/C++ applications should able to use Intel® Memory
Protection Extensions (Intel® MPX) by:
– Recompilation of existing code without source changes
– Interoperate with legacy libraries
– Run Intel MPX enabled binary on legacy systems (no benefits)
– Enable or disable Intel MPX for each application dynamically
• Working with OS/Tool vendors to facilitate broad use
– Intel MPX instructions are not limited to a specific use

Intel MPX will help improve software security and robustness

22
 Additional Sources of Information

PDF of this presentation is available is available from our

Technical Session Catalog: www.intel.com/idfsessionsSF. The
URL is on top of Session Agenda Pages in Pocket Guide.

Links below are available by downloading the PDF:

• Intel Instruction Set Architecture Extensions
• Intel MPX specification
• Linux* ABI for Intel MPX
• Intel MPX Enabled SDE
• Intel® Intrinsics guide

23 Intel Memory Protection Extensions (Intel MPX)

® ®
Legal Disclaimer
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR
IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT
AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY
WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL
PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY,
OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in
personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL
APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND
THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES
AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY,
PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL
OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF
ITS PARTS.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the
absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future
definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The
information here is subject to change without notice. Do not finalize a design with this information.
The products described in this document may contain design defects or errors known as errata which may cause the product to
deviate from published specifications. Current characterized errata are available on request.
Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.
Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be
obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm

Intel, Look Inside and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

*Other names and brands may be claimed as the property of others.

Copyright ©2013 Intel Corporation.

24
 Risk Factors
The above statements and any others in this document that refer to plans and expectations for the third quarter, the year and
the future are forward-looking statements that involve a number of risks and uncertainties. Words such as “anticipates,”
“expects,” “intends,” “plans,” “believes,” “seeks,” “estimates,” “may,” “will,” “should” and their variations identify forward-looking
statements. Statements that refer to or are based on projections, uncertain events or assumptions also identify forward-looking
statements. Many factors could affect Intel’s actual results, and variances from Intel’s current expectations regarding such factors
could cause actual results to differ materially from those expressed in these forward-looking statements. Intel presently considers
the following to be the important factors that could cause actual results to differ materially from the company’s expectations.
Demand could be different from Intel's expectations due to factors including changes in business and economic conditions;
customer acceptance of Intel’s and competitors’ products; supply constraints and other disruptions affecting customers; changes
in customer order patterns including order cancellations; and changes in the level of inventory at customers. Uncertainty in global
economic and financial conditions poses a risk that consumers and businesses may defer purchases in response to negative
financial events, which could negatively affect product demand and other related matters. Intel operates in intensely competitive
industries that are characterized by a high percentage of costs that are fixed or difficult to reduce in the short term and product
demand that is highly variable and difficult to forecast. Revenue and the gross margin percentage are affected by the timing of
Intel product introductions and the demand for and market acceptance of Intel's products; actions taken by Intel's competitors,
including product offerings and introductions, marketing programs and pricing pressures and Intel’s response to such actions; and
Intel’s ability to respond quickly to technological developments and to incorporate new features into its products. The gross
margin percentage could vary significantly from expectations based on capacity utilization; variations in inventory valuation,
including variations related to the timing of qualifying products for sale; changes in revenue levels; segment product mix; the
timing and execution of the manufacturing ramp and associated costs; start-up costs; excess or obsolete inventory; changes in
unit costs; defects or disruptions in the supply of materials or resources; product manufacturing quality/yields; and impairments
of long-lived assets, including manufacturing, assembly/test and intangible assets. Intel's results could be affected by adverse
economic, social, political and physical/infrastructure conditions in countries where Intel, its customers or its suppliers operate,
including military conflict and other security risks, natural disasters, infrastructure disruptions, health concerns and fluctuations in
currency exchange rates. Expenses, particularly certain marketing and compensation expenses, as well as restructuring and asset
impairment charges, vary depending on the level of demand for Intel's products and the level of revenue and profits. Intel’s
results could be affected by the timing of closing of acquisitions and divestitures. Intel's results could be affected by adverse
effects associated with product defects and errata (deviations from published specifications), and by litigation or regulatory
matters involving intellectual property, stockholder, consumer, antitrust, disclosure and other issues, such as the litigation and
regulatory matters described in Intel's SEC reports. An unfavorable ruling could include monetary damages or an injunction
prohibiting Intel from manufacturing or selling one or more products, precluding particular business practices, impacting Intel’s
ability to design its products, or requiring other remedies such as compulsory licensing of intellectual property. A detailed
discussion of these and other factors that could affect Intel’s results is included in Intel’s SEC filings, including the company’s
most recent reports on Form 10-Q, Form 10-K and earnings release.

Rev. 7/17/13

25